diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5112cfa..e4f33a3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,8 +4,6 @@ updates: directory: / schedule: interval: monthly - time: '10:00' - timezone: 'America/Toronto' commit-message: prefix: chore ignore: @@ -16,7 +14,5 @@ updates: directory: / schedule: interval: monthly - time: '10:00' - timezone: 'America/Toronto' commit-message: prefix: chore diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index c465612..ccf8eb5 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -25,6 +25,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pnpm/action-setup@v4 @@ -51,7 +53,7 @@ jobs: # If `dist/` was different than expected, and this was not a Dependabot # PR, upload the expected version as a workflow artifact. - uses: actions/upload-artifact@v4 - if: ${{ steps.diff.outcome == 'failure' }} + if: ${{ failure() && steps.diff.outcome == 'failure' }} with: name: dist path: dist/ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 284a3b0..f38e5ca 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,6 +49,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 824fa78..bed5923 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./ with: diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 2fdb517..2473de6 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -3,14 +3,14 @@ name: Dependabot auto-merge on: pull_request: -permissions: - contents: write - pull-requests: write - jobs: dependabot-automerge: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: - uses: KineticCafe/actions/dependabot-automerge@v2.0 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..6e37770 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,34 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + +jobs: + zizmor: + name: zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/Changelog.md b/Changelog.md index 89edb77..3565e83 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,12 +1,20 @@ # KineticCafe/actions-dco Changelog +## 1.3.1 / 2024-11-01 + +- Upgrade dependencies. + +- Add CodeQL configuration. + +- Switch to Mise for local dependency management instead of NVM with direnv. + ## 1.3 / 2024-02-28 - Upgrade dependencies. - Improved governance documentation, mostly by adding it. -- Switched from eslint/prettier to Biome. +- Switched from ESLint & prettier to Biome. - Included action / version in the output. @@ -23,5 +31,5 @@ ## 1.0 / 2023-06-12 -- Initial release. This is a Typescript port of tisonkun/actions-dco set - to use Node v16. +- Initial release. This is a Typescript port of tisonkun/actions-dco set to use + Node v16.